How to Enable Authenticated Firewall Bypass

Updated: January 20, 2009

Applies To: Windows Server 2008

Authenticated bypass enables you to create rules for Windows Firewall with Advanced Security that block incoming traffic unless it is from a specified trusted computer or user. For example, an administrator might want to deploy firewall rules to computers on the network that do not have any subnet, IP address, or port-level exceptions. However, the administrator might also want to use an enterprise management and security program to scan and update those same computers. To reconcile these conflicting goals, the administrator can create and deploy connection security and firewall rules that require computer-based Kerberos version 5 authentication. With these rules and settings in place, the administrator can deploy Windows Firewall with no exceptions, but the scanning server can access all required ports on the clients. The use of authenticated bypass in this scenario eliminates the need for port-level exceptions.

All authenticated IP traffic from approved computers bypasses Windows Firewall. This method uses connection security rules that specify computer-based authentication and a list of computers or groups of computers whose network traffic can bypass the firewall. This method is supported on computers that are running Windows® XP with Service Pack 2 (SP2) or later.

Traffic that matches a firewall rule that uses the Allow connection if it is secure setting bypasses Windows Firewall. The rule can filter the traffic by IP address, port, or protocol. This method is supported on Windows Vista® or Windows Server® 2008.

To allow all authenticated IP traffic from approved computers to bypass Windows Firewall, you configure the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting with a Security Descriptor Definition Language (SDDL) string that contains a list of the computers or groups of computers whose network traffic you want to bypass Windows Firewall. If a computer receives an IPsec-protected network packet from a computer that is a member of one of the security groups on the SDDL list, Windows Firewall allows the traffic to bypass firewall filters on the computer and allows the inbound traffic.

The Windows Firewall: Allow authenticated IPSec bypass Group Policy setting can be found in the Group Policy editing tools under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.

To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

In Define IPSec peers to be exempted from firewall policy, type the SDDL string that corresponds to the group accounts for the computers to which this policy applies, and then click OK.

Note

Group Policy settings must be refreshed before they take effect.

If you enable the Windows Firewall: Allow authenticated IPSec bypass setting, and then later disable the setting, the SDDL strings that you entered are deleted. Therefore, save the SDDL strings that you use to perform this procedure in case you must perform it again.

This procedure can be performed through Group Policy only. You cannot use the graphical user interface or the command prompt to perform this procedure.

You can perform the preceding procedure on computers running Windows Vista and Windows Server 2008, but Windows Vista and Windows Server 2008 also support the creation of more detailed authenticated bypass rules, specifically:

You can enable authenticated bypass only for network traffic types you specify. In Windows XP and Windows Server 2003, if the traffic is successfully authenticated, it bypasses the firewall. You cannot limit the traffic to only specified network ports, protocols, or IP addresses.

You can approve specific users, or groups of users, in addition to computer accounts, because Windows Vista and Windows Server 2008 now support user-based authentication.

You can specify that authenticated bypass is permitted only if the network traffic is encrypted by using IPsec, in addition to the previously required authentication.

Instead of a Group Policy setting, you enable authenticated bypass in Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 by setting the Allow connection if it is secure option in a firewall rule. Selecting this check box enables the Users and Computers tab that you can use to enter the computer or user group accounts that are checked against the credentials supplied by IPsec authentication. This results in a set of rules that say "this traffic from the approved computers or users is permitted if no other rules block it."

If you also enable Override block rules in the firewall rule, then authenticated traffic that matches the rule is permitted, even if another rule would block it. The result is a set of rules that say "this traffic is blocked unless it is coming from an authenticated computer or user who is approved."

To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

In the navigation pane, right-click Inbound Rules, and then select New rule.

In the New Inbound Rule Wizard, configure the Rule Type, Program, Protocol and Ports, and Scope, according to the type of network traffic you want to allow to bypass the firewall.

On the Action page, select Allow the connection if it is secure, select Override block rules, and then click Next.

On the Users and Computers wizard page, select Only allow connections from these computers, click Add, and then select the computer or computer groups that you want to allow to bypass the firewall rules on this computer.

Select Only allow connections from these users, click Add, and then select the user or user groups that you want to allow to bypass the firewall rules on this computer.

Note

This option works only if the computers support user-based authentication. User-based authentication is supported in Windows Vista and Windows Server 2008.

Following the remaining steps in the wizard.

Note

Authenticated bypass and override block rules can also be created by using the Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security node in a GPO.

If you specify the rmtusergrp parameter, then you create a rule that works only with computers that support AuthIP, an extension of the Internet Key Exchange (IKE) protocol that adds support for user-based authentication. Computers that are running Windows Vista and Windows Server 2008 support AuthIP. Computers that are running Windows XP or Windows Server 2003 use IKE v1 only, and cannot perform user-based authentication.

When combined into a complete command using a single computer group and a single user group, the syntax for creating an authenticated bypass rule might look like the following:

This example permits authenticated bypass for any network traffic on any port from any IP address, as long as it is authenticated as coming from a user and computer account that is a member of the specified groups.

Use the Getsid.exe command-line tool to obtain the SID of a group account. Getsid.exe is one of the Windows support tools available on the Windows Server 2003 product disk. For information about how to install the support tools, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?linkid=111016). Getsid.exe is used to compare the SIDs of two accounts on different domain controllers, but you can also use it to obtain the SID of a specified user or group account.